Home News Ethereum-based 'Shitcoin Wallet' Chrome Extension Stealing Keys, Funds

Ethereum-based ‘Shitcoin Wallet’ Chrome Extension Stealing Keys, Funds

TL;DR: Harry Denley, Director of Security at the MyCryptoclub, claims to have discovered a “browser crypto wallet is injecting malicious JS to steal secrets from @myetherwallet @idexio @binance @neotrackerio @SwitcheoNetwork.” It’s known as Shitcoin Wallet, a Chrome extension he insists “also sends secrets to their backend!”

Shitcoin Wallet Chrome Extension Stealing Keys

“Extension loads from remote server and injects content_.js and jquery.js,” Denley explained. “Deobfuscated content_.js file: https://pastebin.com/raw/ZtUpWVvT.” It’s a Google Chrome extension he believes is stealing passwords and private keys, injecting JavaScript (JS) through web pages. It’s relatively new, and goes by the name Shitcoin Wallet (id: ckkgmccefffnbbalkmbbgebbojjogffn).

Shitcoin Wallet (SW) offers to allow holders of ETH and ERC20 tokens an easier way to manage their coins. Browser wallets are becoming increasingly more popular for being “light” weight relative to storage. SW can also be installed via Windows desktop as an application, however. All ETH and ERC20 tokens on SW appear to be at risk, Denley insists, as SW sends users’ private keys to yet another site, erc20wallet[.]tk.

Shitcoin Wallet

SW injects malicious JS when users hop on MyEtherWallet.com, Idex.Market, Binance.org, NeoTracker.io, and Switcheo.exchange, zapping login information and sending it along. As of publication, it does appear Google Web Store has nixed the Shitcoin Wallet, though various reports insist more than 600 installs did take place over the last month or so.

At press time as well, the SW team hasn’t made a public statement about allegations. The project does have a 1,000 member Telegram group, which at present appears to be flooded with complaints and general spam offers. It’s Twitter account hasn’t posted since late December of last year.


CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.

DYOR: CoinSpice is your home for just spicy crypto things. We’re not affiliated with any cryptocurrency project or token. Each published piece is intended for information purposes only, not investment advice and not in the hope of impacting speculative markets. There are plenty of trading sites and coin-specific advocacy journals out there, we’re neither. CoinSpice strives for rigorous accuracy in our reporting. Information presented here is contingent usually on a host of factors, and the ecosystem moves fast — prices change, projects change, and at warp speed. Do your own research.

DISCLOSURE: The author holds cryptocurrency as part of his financial portfolio, including BCH.